You are here: Webhelp 5.5R7 > VPN > SSL VPN > Host Checking

Host Compliance Check

The host compliance check function checks the security status of the hosts running SSL VPN clients, and according to the check result, the SSL VPN server will determine the security level for each host and assign corresponding resource access right based on their security level. It a way to assure the security of SSL VPN connection. The checked factors include the operating system, IE version, and the installation of some specific software.

The factors to be checked by the SSL VPN server are displayed in the list below:

Factor Description
Operating system
  • Operating system, e.g., Windows 2000, Windows 2003, Windows XP, Windows Vista, Windows 7m Windows 8, etc.
  • Service pack version, e.g., Service Pack 1
  • Windows patch, e.g., KB958215, etc.
  • Whether the Windows Security Center and Automatic Updates are enabled.

  • Whether the installation of AV software is compulsory, and whether the real-time monitor and the auto update of the signature database are enabled.

  • Whether the installation of anti-spyware is compulsory, and whether the real-time monitor and the online update of the signature database are enabled.

  • Whether the personal firewall is installed, and whether the real-time protection is enabled.

Whether the IE version and security level reach the specified requirements.
Other configurations Whether the specified processes are running.
Whether the specified services are installed.
Whether the specified services are running.
Whether the specified registry key values exist.
Whether the specified files exist in the system.

Role Based Access Control and Host Compliance Check Procedure

Role Based Access Control (RBAC) means that the permission of the user is not determined by his user name, but his role. The resources can be accessed by a user after the login is determined by his corresponding role. So role is the bridge connecting the user and permission.

The SSL VPN host checking function supports RBAC. And the concepts of primary role and guest role are introduced in the host checking procedure. The primary role determines which host compliance check profile (contains the host checking contents and the security level) will be applied to the user and what access permission can the user have if he passes the host checking. The guest role determines the access permissions for the users who fail the host checking.

The host compliance check procedure is shown as below

  1. The SSL VPN client sends request for connection and passes the authentication.
  2. The SSL VPN server sends the host checking profile to the client.
  3. The client checks the host security status according to the items in the host checking profile. If it fails the host compliance check, system will be notified of the checking result.

  4. The client sends the checking result back to the server.
  5. The server disconnects the connection to the failed client or gives the guest role's access permission to the failed client.

The host compliance check function also supports dynamic access permission control. On one side, when the client's security status changes, the server will send a new host checking profile to the client to make him re-check; on the other side, the client can perform security checks periodically. For example, if the AV software is disabled and is detected by the host checking function, the role assigned to the client may change as will the access permissions.

Configuring a Host Compliance Check Profile

To configuring host compliance check profile, take the following steps:

  1. Select Network > VPN > SSL VPN.
  2. At the top right corner, click Host Compliance Check/Binding to visit the Host Compliance Check/Binding page.

  3. In the Host Compliance Check tab, click New to create a new host checking rule.
  1. Click OK to save the settings.